| ▲ | reactordev an hour ago |
| not the same thing. Containerization prevents devUser from accessing your machine root with its root. By containerizing, if devUser tries to sudo or su and gets a root, it will only be their root and not your root. Read up on cgroups. |
|
| ▲ | progval an hour ago | parent | next [-] |
| Successful sudo from a cgroup still makes you root on the machine. What you want for this is user namespaces, not (just) cgroups. |
| |
| ▲ | reactordev 43 minutes ago | parent [-] | | yes, you would setup namespace and unshare it once mounted to isolate the sandbox so root only sees the sandbox / and not your / |
|
|
| ▲ | grosswait an hour ago | parent | prev [-] |
| Why would you allow devUser sudo? |
| |
| ▲ | reactordev 40 minutes ago | parent [-] | | normally you wouldn't but there are some instances where a script or something requires sudo in which case you would need to namespace the cgroup and do a little more work to prevent escaping the sandbox. I can think of a few cases where sudo is required for cgroups/containers from the sandbox side so it can install services and things but ideally you would isolate everything to the devUser UID or GID. |
|